Encrypting files with PGP is fine. PGP itself has no vulnerability. So using e.g. gnupg for signing files is fine. It is certain email clients or plugins that are vulnerable when decrypting encrypted emails. Besides, encrypted, pure text email is fine. Encrypted html emails are vulnerable.
johanh ( 2018-05-16 21:34:26 +0200 )editThe vulnerability comes from that the standard doesn't mandate integrity checks of the encrypted data. An attacker can add HTML code to the content that, when parsed, for example triggers loading of remote content (if allowed by the email client). In those requests decrypted content can be exfiltrated. Software that (currently against the standard) refuses to decrypt the contents if integrity checks are missing or failing is presumably safe. I assume that anybody that adds support for encryption to the email client in Sailfish OS is aware of this vulnerability and makes sure that integrity checks are required when loading emails. See more for example at eff.org and The Mozilla Thunderbird Blog.
luen ( 2018-05-17 00:42:38 +0200 )edit
where do you see pdp in sfos ?
pawel ( 2018-05-16 07:53:49 +0200 )editRight, not now. But in the future with functional (business) upgrades in sfos 2.2 - 3.x?
4carlos ( 2018-05-16 08:06:20 +0200 )edit